"In an analysis of botnets by research institutions and law enforcement agencies around 16 million compromised user accounts were discovered. These usually consist of user details in the form of an email address and a password," said the BSI statement. "Many internet users use this login information not only for their own mail account but also for users accounts with Internet service providers, online shops, or social networks. The e-mail addresses have been handed over to the BSI so that those affected are informed and can take the necessary protective measures."
BSI has set up a website at https://www.sicherheitstest.bsi.de/ for concerned users to check whether their own details are among those stolen. The early demand was so great that the site was overwhelmed, and the capacity has since been increased. It was working at the time of this report.
Germany is one of the most privacy conscious of all European countries, and BSI has had to justify its own actions in storing personal information. Not everyone is comfortable with BSI having the data, "especially not after the Snowden revelations which make it difficult to know who you can trust," notes Spiegel Online (in German).
BSI spokesman Tim Griese has stressed that BSI will retain none of the information after the process. If a user submits his or her email via the test website, it is checked against the database of stolen credentials. Only if a match is made is the user notified, by signed PGP email with a special code in the subject line. If this happens the user is advised to change all passwords on all accounts; and is given advice on how to disinfect his or her computer.
After that, the email address and password is deleted from the BSI computers. "I can assure you that nothing will be saved.," Griese told Spiegel. The process had been reported to the German Data Protection Commissioner, who raised no objections.
The investigation into the hackers responsible is apparently continuing, and so far neither the Federal Criminal Police Office (BKA) nor the BSI has given any information on either the botnet or malware involved, nor the security company or companies helping with that investigation. The only indication of the bot concerned comes from the BSI statement: "Identity theft is one of the biggest risks when using the Internet... Usually this is done by a malware infection of the visited website. Malware is silently placed on the visitors' computers to track, for example, keystrokes and logins or to manipulate transactions directly." It goes on to explain that the key-logged captured data is covertly sent to a remote server from wher it can be downloaded by the criminals.
The implication, without any confirmation, is that the 16 million credentials have been harvested via drive-by or waterhole attacks. Statistically, this would suggest that one or more exploit kits have then been used either to exploit a browser or Java vulnerability; and that the malware dropped is of some sophistication – possibly a keylogging man-in-the-browser trojan.
Nevertheless, there is concern that so many Europeans either have no or insufficient security. "Such attacks are constantly evolving: meaning organizations must ensure they are updating their protection to match instead of settling at a 'minimum' acceptable level," warns Chris McIntosh, CEO at ViaSat UK. "By combining common sense such as regularly changing passwords and using a variety of tactics such as firewalls, encryption and anti-virus software, users can protect themselves against these types of attack that are sure to become more commonplace as time goes on.”